Re: [Bro-Dev] Option -z

[Vern Paxson]

> If one
> could express such analyses easily with a few lines of script code,
> that would be quite powerful for doing script inspection that's also
> easy to customize.

Well sure, but it's not clear one can get to that point without some
significant work under the hood anyway in terms of the features needed to
make the script-level expression a few lines of code.

Vern
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Re: [Bro-Dev] Option -z

[Robin Sommer]

On Thu, May 26, 2016 at 07:41 -0700, you wrote:

> I wonder if they don't use it because it's not on their radar.  It's
> actually pretty handy,

I see that in principle but hardcoding the functionality in C++-land
doesn't seem to be the ideal way to go about things like this. If one
could express such analyses easily with a few lines of script code,
that would be quite powerful for doing script inspection that's also
easy to customize.

Robin

-- 
Robin Sommer * ICSI/LBNL * ro...@icir.org * www.icir.org/robin
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Re: [Bro-Dev] Option -z

[Vern Paxson]

> Just removing this specific use
> of finding NOTICEs, which doesn't seem anybody has been using in a
> long time.

I wonder if they don't use it because it's not on their radar.  It's
actually pretty handy, a way of telling when you think the set of NOTICEs
should be X, but it's actually X'.  Can help with writing documentation
or finding dead code (of a form), or telling just what happens due to
the hierarchy of @load's that a script pulls in.

Vern
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Re: [Bro-Dev] Option -z

[Azoff, Justin S]

> On May 26, 2016, at 10:15 AM, Robin Sommer  wrote:
> 
> 
> 
> On Wed, May 25, 2016 at 20:56 -0700, you wrote:
> 
>> Well it's there in CHANGES, per the appended.  But yeah looks like it never
>> went anywhere beyond the original instigation, so I think removing it is 
>> okay.
> 
> Ah, I didn't realize this is what originally introduced the whole
> traversal machinery. That infrastructure is used in a few places now,
> and I'm not planing on touching that. Just removing this specific use
> of finding NOTICEs, which doesn't seem anybody has been using in a
> long time.
> 
> Robin

It also has a minor issue that prevents it from being more useful, it outputs

AddressScan

instead of the fully namespaced

Scan::AddressScan



-- 
- Justin Azoff


___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Re: [Bro-Dev] Option -z

[Vern Paxson]

> Does anybody remember what Bro's option -z is for?

Well it's there in CHANGES, per the appended.  But yeah looks like it never
went anywhere beyond the original instigation, so I think removing it is okay.
OTOH, it's a pretty handy general notion, so instead pushing it further
strikes me as also reasonable.

Vern


0.9a8 Wed Feb 16 17:09:34 PST 2005



- Bro now has a geneal mechanism internal for traversing policy scripts
  (Umesh Shankar).  Various script analyses can be specified using the
  new -z flag.

  Currently, the one supported form of analysis is "-z notice", which
  prints all of the different types of notices that the script you've
  loaded can generate.  For example, "bro -z notice ftp" will generate:

  Found NOTICE: BackscatterSeen
  Found NOTICE: FTP_PrivPort
  Found NOTICE: FTP_BadPort
  Found NOTICE: PortScan
  Found NOTICE: FTP_ExcessiveFilename
  Found NOTICE: ScanSummary
  Found NOTICE: AddressDropped
  Found NOTICE: DroppedPackets
  Found NOTICE: SensitiveConnection
  Found NOTICE: FTP_UnexpectedConn
  Found NOTICE: SSH_Overflow
  Found NOTICE: FTP_Sensitive
  Found NOTICE: TerminatingConnection
  Found NOTICE: PasswordGuessing
  Found NOTICE: AddressDropIgnored
  Found NOTICE: AddressScan
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev